[+]d'ZheNwaY's Blog[+]: NetworkMiner v1.1 Released – Windows ...

id='post-body-7419912513689609071'>

NetworkMiner

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc.

without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
NetworkMiner collects data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main user interface view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

NetworkMiner has, since the first release in 2007, become popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

	NetworkMiner (free edition)	NetworkMiner Professional
Live sniffing
Parse PCAP files
Receive Pcap-over-IP
OS Fingerprinting (*)
Port Independent Protocol Identification (PIPI)
Export results to CSV / Excel
Configurable file output directory
Geo IP localization (**)
Host coloring support
Command line scripting support		(through NetworkMinerCLI)
PCAP parsing speed (***)	0.581 MB/s	0.457 MB/s (GUI version) 0.735 MB/s (command line version)
Price	Free	€ 500 EUR
	Download NetworkMiner (free edition)	Buy NetworkMiner Professional

* Fingerprinting of Operating Systems (OS) is performed by using databases from Satori and p0f ** This product includes GeoLite data created by MaxMind, available from http://maxmind.com/ *** Measured by loading dump.eth0.1059726000 from Defcon 11 (189MB) on a PC with Intel Core 2 Duo (2,66GHz) and 2GB RAM

NetworkMiner can extract files and certificates transferred over the network by parsing a PCAP file or by sniffing traffic directly from the network. This functionality can be used to extract and save media files (such as audio or video files) which are streamed across a network from websites such as YouTube. Supported protocols for file extraction are FTP, TFTP, HTTP and SMB.

 

NetworkMiner Professional showing files extracted from sniffed network traffic to disk

 

 

NetworkMiner Professional showing thumnails for images extracted to disk

 

User credentials (usernames and passwords) for supported protocols are extracted by NetworkMiner and displayed under the "Credentials" tab. The credentials tab sometimes also show information that can be used to identify a particular person, such as user accounts for popular online services like Gmail or Facebook.

Another very useful feature is that the user can search sniffed or stored data for keywords.

NetworkMiner allows the user to insert arbitrary string or byte-patterns that shall be searched for with the keyword search functionality.

NetworkMiner Professional comes installed on a specially designed USB flash drive. You can run NetworkMiner directly from the USB flash drive since NetworkMiner is a portable application that doesn't require any istallation. We at Netresec do, however, recommend that you copy NetworkMiner to the local hard drive of your computer in order to achieve maximum performance.

» Buy NetworkMiner Professional «

More Information

For more information about NetworkMiner, please see the NetworkMiner Wiki page on SourceForge.
There are also several blog posts about NetworkMiner on the NETRESEC Network Security Blog:

• Pcap-over-IP in NetworkMiner


• Network Forensic Analysis of SSL MITM Attacks


• Command-line Network Forensics with NetworkMinerCLI


• NetworkMiner Video Tutorials on the Intertubes


• Webmail Information Leakage


• Analyzing the TCP/IP Weapons School Sample Lab

You can download NetworkMiner v1.1 here:

NetworkMiner_1-1.zip

nb : netresec

Source: http://dzhenway.blogspot.com/2011/09/networkminer-v11-released-windows.html

»»  read more

[+]d'ZheNwaY's Blog[+]: Nation-State Attackers Are Adobe's Biggest ...

id='post-body-2932190775506502860'>

SAN FRANCISCO--It's no secret that attackers have made Adobe's products key targets for the last couple of years, routinely going after bugs in Reader, Flash and Acrobat in targeted attacks and widespread campaigns alike. But it's not just the rank-and-file bad guys who are making Adobe a priority; it's more often nation-states, the company's top security official said.

Adobe, like many other large software companies, has contacts in the big defense contractors, government agencies and other organizations that are most often the targets of state-sponsored attacks. So when a new attack begins, the company typically hears about it within hours as customers begin to call and report a new threat involving an Adobe product. Since the company began its software security program several years ago, the sophistication level of the people finding and exploiting new bugs in Flash or Reader has gone up significantly.

Now, says Brad Arkin, the senior director of product security and privacy at Adobe, it's at a point where the company's main adversaries are state-sponsored actors.

"In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries," Arkin said in his keynote speech at the United Security Summit here Tuesday. "These are the groups that have enough money to build an aircraft carrier. Those are our adversaries."

Arkin said that when a new attack involving a zero-day bug in one of Adobe's products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.

From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it's likely an entirely different set of attackers using the exploit. But it's the well-funder and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.

"These samples trickle downhill really quickly and show up in crime packs," Arkin said. "The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit. If you want to defend against the carrier-class adversary, it's a very different cost."

Perhaps the most famous example of this kind of targeted attack is the one that hit RSA Security earlier this year. In that case, the company was compromised through the use of a phishing email that contained an Excel file with a malicious SWF file embedded inside it. An employee opened the email and then the attachment and the attack was off and running from there. Arkin said that while his team didn't get a sample of the malicious file from RSA, it did see others from organizations that likely were targeted by the same campaign.

"We have lots of friends in the places where people get attacked a lot and I don't think that RSA was the only target in that campaign," he said.

nb : threatpost

Source: http://dzhenway.blogspot.com/2011/09/nation-state-attackers-are-adobes.html

»»  read more

[+]d'ZheNwaY's Blog[+]: Microsoft dumps partner over telephone ...

id='post-body-2431855549272850708'>

One of Microsoft's Gold Partners has had its relationship with the software giant unceremoniously terminated, after being revealed to be orchestrating a telephone support scam.

Comantra, based in India, are said to have cold-called computer users in the UK, Australia, Canada and elsewhere, claiming to offer assistance in cleaning up virus infections.
The bogus support calls came from Comantra employees who claimed to be representing Microsoft, and used scare tactics to talk users into opening the Event Viewer on Windows, where a seemingly dangerous list of errors would be seen.

Once terrified by what appears to be a worrying collection of warning messages, and believing this was evidence of a malware infection, users would be tricked into allowing Comantra technicians to gain remote access to their computer, and hand over their credit card details to fix any "problems".
In the past, vulnerable elderly people have even been told by scammers that heavy rain may have caused a computer virus infection.

What makes the scam particularly audacious is that during the scam campaign, Comantra were a certified Gold partner of Microsoft, and when quizzed by skeptical computer owners would use their status to trick potential victims into believing the call was legitimate.

A search for "Comantra" on the internet finds a large number of posts and complaints about the scam telephone calls, stretching back over 18 months. Some users have even asked on Microsoft's own message forums how it is possible for the firm to have "Gold Partner" status.

As PC Pro reports, a Microsoft spokesperson has now confirmed that Comantra has at long last been struck off their Gold Partner list:

"We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member's business practices. Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status."
"There are no circumstances under which we would ever allow partners or any other organisations to pose as Microsoft. We view matters such as these extremely seriously and take immediate action if such behaviour is brought to our attention and found to be the case."

Hmm.. Maybe someone should tell Comantra to update their website and remove that Gold Partner logo?

Listen to this great podcast by Sophos experts Paul Ducklin and Sean Richmond where they discuss the problem of fake tech support calls, and the ways in which you can avoid falling for scams like this yourself:

(Duration 6:15 minutes, size 4.5MBytes)

Also, make sure that your family and friends are on their guard against suspicious tech support calls telling them about infections on their computer - even if the callers do claim to be from Microsoft. It only takes a lapse of common sense for you to hand your credit card details straight down the line to a criminal.

nb : nakedsecurity.sophos

Source: http://dzhenway.blogspot.com/2011/09/microsoft-dumps-partner-over-telephone.html

»»  read more

[+]d'ZheNwaY's Blog[+]: Malicious spam campaigns proliferating

id='post-body-6791725755399361126'>

Summary: In a recent blog post, researchers from Commtouch have summarized their observation status, and pointed out that someone is actively building crimeware-friendly botnets.

With spam continuing to represent the distribution vector of choice for the majority of cybercriminals, it shouldn’t be surprising that the volume of malicious spam campaigns is proliferating.

In a recent blog post, researchers from Commtouch have summarized their observation status on the malicious spam campaigns from last month, namely, UPS/FedEx, Map of love and Hotel charge error and pointed out that someone is actively building crimeware-friendly botnets:

“Pre-outbreak levels varied between a few hundred million emails to around 2 billion per day.  The peak outbreak included distribution of nearly 25 billion emails with attached malware in one day.”

Malware campaigns have cyclical pattern of distribution, namely, cybercriminals constantly rotate and introduce new topics, once the lifecycle of the previous campaign have reached the maturity stage. Meanwhile, users continue interacting with spam emails, clicking on links, downloading attachments and unsubscribing themselves, prompting the success of spam in general.

Now, that the cybercriminals have set up the foundations for their botnet aggregation practices by spamvertising billions of emails, it’s worth keeping an eye on the actual response rate of the command and control servers used in the campaigns in order to roughly estimate the damage caused by the campaigns.

nb : zdnet

Source: http://dzhenway.blogspot.com/2011/09/malicious-spam-campaigns-proliferating.html

»»  read more

[+]d'ZheNwaY's Blog[+]: Massachusetts Attorney General, Victim of ...

id='post-body-3426297939823368000'>
Massachusetts Attorney General Martha Coakley said on Tuesday that her office would be inquiring into long-standing complaints about fraudulent purchases that leverage Apple's popular online music store.

In a lunchtime address to business and technology leaders in Massachusetts, Coakley said she was a victim of identity theft in recent months, and that her stolen credit card information was used to make fraudulent iTunes purchases. When asked (by Threatpost) about whether such fraud constitutes a reportable event under the Bay State's strict data breach notification law, Coakley said that her office would be looking into that question and demanding answers from Cupertino, California based Apple, which has steadfastly refused to comment, or report the breaches to Massachusetts regulators.

Coakley was speaking before an audience of technology and business leaders at an inaugural lunch for Massachusetts' Advanced Cyber Security Center (ACSC). Coakley said that her investment in protecting consumers from identity theft was personal, acknowledging that her bank account was emptied after cyber criminals stole her debit card information during a ski trip to New Hampshire. It was not the first time Coakley had mentioned the incident in public. After skimming the card info, Coakley said the thieves attempted to use it to purchase a laptop from Dell Computer, which detected the fraudulent transaction and contacted Coakley. Not so Apple, whose iTunes media store was used to make a slew of transactions that emptied the Attorney General's account.

Informed of the well documented pattern of fraud through iTunes, in which stolen credit cards or bogus iTunes gift cards are matched with compromised iTunes accounts and used to purchase merchandise, Coakley said she wasn't aware of the larger pattern, but that it could be a reportable offense under the State's data privacy law. She promised her office would be contacting Apple for more information that very afternoon - a statement that received hearty applause from the audience.

Despite the tough tone, Coakley's speech was tailored more to a business audience wary of burdensome enforcement of State data privacy laws, including the State's data breach notification law and 201 CMR 17, the Massachusetts Data Protection Law. That law took effect in March, 2010 but the first fine under the law was issued in March of 2011 to Briar Group, a Boston-area restaurant chain that showed gross negligence in securing its networks and handling customers' credit card numbers.

Coakley said that companies that attempt, in good faith, to adhere to the State's privacy laws have little to fear in the way of fines or prosecution. However, organizations that flaunt the law or ignore the need for data security should count themselves warned.

Describing her office as the first line of defense for consumers, Coakley said her office was pursuing a "common sense" approach to enforcement and notification. Large breaches, such as the hack of Massachusetts retailer TJX, warrant an all out effort to notify the public. In the case of smaller breaches, Coakley said her office wanted to work with victim organizations to make sure that holes in their defenses and IT security practice are addressed.

The Attorney General said her office has received around 480 data breach notifications so far in 2011, and 1,166 since the law took effect in March, 2010 - suggesting that the incidence of data breaches is holding steady, despite a tough economy. The vast majority of those breaches are small in nature. Eighty two percent of disclosed breaches affected fewer than 100 people, and just 4% affected between 1,000 and 10,000 people. Similarly, hacking incidents only made up a quarter of the reported breaches, with another quarter due to inadvertent human error, Coakley said.

The State's breach notification law, dubbed 201 CMR 17, sets clear guidelines for the types of incidents that constitute reportable breaches. Any incident resulting in "the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data" that creates a "substantial risk of identity theft or fraud against a resident of the commonwealth" need to be disclosed, as well as combinations of personal information, such as a name and credit card number, must be reported. That would seem to describe the use of Coakley's credit card information on iTunes. However, its is unclear whether Apple actually holds the data used to process the transaction on iTunes, or whether the purchases are merely "pass through" transactions about which Apple has no knowledge or visibility, according to a source within the Attorney General's Office.

nb : threatpost

Source: http://dzhenway.blogspot.com/2011/09/massachusetts-attorney-general-victim.html

»»  read more

[+]d'ZheNwaY's Blog[+]: Fixes in the Works For SSL Attack, But ...

id='post-body-865207864838393674'>

With the release of the BEAST SSL attack research due tomorrow, researchers are beginning to take note of potential fixes and mitigations for the attack. One of the possibilities is moving to newer versions of TLS that are not vulnerable to the attack, but the problem is that there is precious little adoption of those newer versions.

Some of the browser vendors have been looking at possible remedies for the attack on TLS developed by Juliano Rizzo and Thai Duong, and Opera was the first to develop a fix for it. The company initially implemented the fix in its browser, but then discovered that it broke a small percentage of sites and did not push the fix into the final version of Opera. The default configuration of Opera isn't vulnerable to the new attack, but if users change some settings, the browser can become susceptible to the attack.

Rizzo and Duong's attack, which Rizzo will present at the Ekoparty conference on Friday, is aimed at TLS 1.0, which is an older version of the protocol, and the newer versions are not vulnerable. However, as Opera's own research found, the adoption of TLS 1.1 and 1.2 among Web sites is far too low to just make the switch in the browser. Opera found that just 0.25 percent of sites supports TLS 1.1 and 0.02 percent support version 1.2. TLS 1.0 is quite an old standard, and even versions 1.1 and 1.2 have been approved for several years now, but many of the more recent versions of the major browsers don't support the newer releases of TLS, which presents a problem for site operators who would like to upgrade. If their users can't handle TLS 1.1 or 1.2, upgrading could cost them customers.

For example, the latest version of Mozilla Firefox has the boxes for SSL 3.0 and TLS 1.0 checked by default and there is no option for users to enable support for newer versions of TLS. Internet Explorer 9 gives users the ability to enable support for TLS 1.1 and 1.2 in Internet Options under the Advanced tab. But, unless the site on the other end of the connection is using a newer version of the protocol as well, that doesn't do the user much good.

Opera isn't the only vendor who is working on a fix. Google also has been preparing a patch for its Chrome browser and the company has pushed that fix to its development channel already, officials say. The company is hoping to have the fix go through the typical process of moving to the beta channel and then the stable channel without having to push it out as an emergency fix.

A new report by security researcher Thierry Zoller that looked at browser support for various versions of the TLS protocol found that support for anything newer than TLS 1.0 is quite spotty. Also in the report, Zoller recommends that sites that use SSL drop support for SSL 2.0 and 3.0 and only support TLS 1.0 and later.

nb : threatpost

Source: http://dzhenway.blogspot.com/2011/09/fixes-in-works-for-ssl-attack-but.html

»»  read more

[+]d'ZheNwaY's Blog[+]: DroidSheep Android App Hijacks Sessions ...

id='post-body-6219452665845572370'>
Following the success of the Firesheep application, a new Android application called DroidSheep allows users to hijack Web sessions of popular online services over insecure Wifi connections.

DroidSheep enables Android-based man in the middle attacks against a wide range of Web sites, including Facebook.com, Flickr.com, Twitter.com, Linkedin.com, and non-encrypted services like “maps” on Google. DroidSheep’s official website claims that the app will work on almost any website that uses cookies.

It’s a pretty simple process once downloaded, a user only has to start running DroidSheep, click start, and wait for someone to connect to a given service on the same wifi network, at which point the user will be prompted on whether or not they want to jump in on that session.

All a user needs is a device that runs Android version 2.1 or higher, whether that device is a smartphone or some sort of tablet, with root access (and the app itself, obviously).

DroidSheep supports OPEN, WEP, WPA, and WPA2 secured networks, using a DNS-Spoofing attack on the last two.

As with the original FireSheep application, the developers of DroidSheep note that their application is “NOT INTENDED TO STEAL IDENTITIES,” but to show the weak security properties of big websites.

The release of a Firefox extension called “FireSheep” at the 2010 ToorCon conference caused an uproar, and prompted popular services like Facebook and Twitter among others to implement secure browsing features. It also helped fuel a larger discussion about the necessity of utilizing HTTPS encryption across the Web.

nb : threatpost

Source: http://dzhenway.blogspot.com/2011/09/droidsheep-android-app-hijacks-sessions.html

»»  read more

[+]d'ZheNwaY's Blog[+]: Homeless hacker arrested by FBI in LulzSec ...

id='post-body-2667302627901596215'>

According to media reports, the FBI has arrested two alleged hackers in San Francisco and Phoenix, believed to be associated with the LulzSec and Anonymous hacktivist groups.

And one of them is homeless.

FoxNews reports that search warrants have also been executed in the states of Minnesota, Montana and New Jersey as part of a wider FBI investigation into the groups who have launched attacks against government websites as well as corporations such as Sony.

23-year-old Cody Kretsinger, from Phoenix, Arizona, has been charged with computer offences, and is alleged to be the LulzSec member known as "Recursion". Kretsinger is accused of being involved in an SQL injection attack that stole information from Sony Pictures in June, exposing users email addresses and passwords.

According to the indictment against Kretsinger, he is accused of using the hidemyass.com proxy service to cloak probes he made of Sony Pictures' computer systems in May 2011, hunting for vulnerabilities.

Approximately 150,000 confidential records were subsequently published online by LulzSec who criticised Sony's weak security.

Authorities allege that Kretsinger wiped the hard drives used to carry out the attack on Sony in an attempt to hide forensic evidence.

"Recursion" is one of many handles used by members of the LulzSec hacking gang, and features in internet chat logs that have previously published of the group having what they believed to be private conversations.

Meanwhile, the FBI arrested an alleged Anonymous member in San Francisco. The man, who is reported to be homeless, is said to have been involved in internet attacks against Santa Cruz County government websites.

Just because a man is homeless, of course, doesn't mean that he can't get an internet connection. Coffee houses, cafes, libraries, etc can all offer cheap or free internet access - and because the computer being used can be a shared device, it may be harder to identify who might have been responsible for an attack compared to a PC at a home.

At the same time, public places are often watched with CCTV cameras which means that if the authorities were able to identify a time and place, they may also be able to gather evidence as to who was at the location when an attack was begun from a particular computer.

Both LulzSec and the larger Anonymous hacktivist collective have had a tough time of late, with a series of arrests in the USA, UK and elsewhere around the globe.

Wannabe hackers might be wise to read the FBI's press release about the Kretsinger arrest, which points out that if convicted of the hacking offences he could face up to 15 years in prison.

nb : nakedsecurity.sophos

Source: http://dzhenway.blogspot.com/2011/09/homeless-hacker-arrested-by-fbi-in.html

»»  read more

create a shutdown virus

To create this virus, you do not need notepad. First of all right click on your desktop and click "new" and then click "shortcut". And then type the following in the given text box:-
shutdown -s -t 200 -c "This is a fake virus"

and click next and type "My computer" in the given field and click finish. After all this you will see a small shortcut on your desktop. Right click on that shortcut and go to properties. In properties, click on "Change Icon". Now change the icon of this shortcut and put the same icon as that of the icon of my computer. Now remove the original my computer icon with this one. Now whenever your victim clicks on it, his/her computer will shutdown after 3 minutes. To stop the shutdown, you must go to start->run and type "shutdown -a". Type this without quotes.

or,

shutdown -s -t 10 -c "HARMLESS VIRUS DETECTED. BEGIN SHUTDOWN"

10 indicates time. You can write else messages.

tips:

1.To make your virus more convincing, you could name it Internet Explorer and change icon through properties menu.

2. Running in full screen can make them even scarier. Right click on the icon -> properties -> options -> full screen.

Source: http://abgindia.blogspot.com/2010/08/create-shutdown-virus.html

»»  read more